-------- -" --

National Criminal Justice Reference Service

1----------------~~ ~. nCJrs

-,

This microfiche was produced from documents received for inclusion in the NCJRS data base. Since NCJRS cannot exercise control over the physical condition of the documents submitted, the individual frame quality will vary. The resolution chart on this frame may be used to evaluate the document quality.

1.0

111111.1

11111,·25 11111,·4 111111.6

MICROCOPY RESOLUTION TEST CHART NAnONAL BUREAU OF STANDARDS-1963-A

Microfilming procedures used to create this fiche comply with the standards set forth in 41CFR ~Ol-11.504.

Points of view or opinions stated in this document are those of the author(s) and do not represent the official position or policies of the U. S. Department of Justice.

National Institute of Justice ~.,; United States Departl}lerit of Justice Washington1 D. C. 20fi31,

t.

'. '/ I' ,-

j J }

\ I

: I f ,

- .

,

If you have issues viewing or accessing this file contact us at NCJRS.gov.

----_._ .. _-=_.

Crime Problems \1 Q')l/8d. L

Training is Q?'I16 3 L

Identification [4 q?t/~t/ l

Investigative Aids ria qf]!l85 [

The Legal Digest ria3 q?~0L

32

The Cover: Confron­tations with irrational, violent individuals are day-to.cfay occurrences which threaten the safety of police officers everywhere. (Staged training photo.) See article p. 1.

'.

rBI~ORCEMENT BULLETItI

JANUARY 1985. VOLUME 54. NUMBER 1

Contents Police In a Violent SOCiety l By Dr. John G. Stratton, Dr. John R. Snibbe, and Kenneth Bayless J Professors of the Street: Police Mentors J By M. Michael Fagan and Kenneth Ayers, Jr.

Interstate Identification Index ] By Emmet A. Rathbun

Criminal Codes and Ciphers-What do They Meanj_ By Jacqueline Taschner and Arthur R. Eberhart

Finetuning Miran'lf! Policies 1 By Char!~~ p.."R)J,ef4l1@ J

\}~u '='

Wanted by>th~F~~ l?~~t )\\w

..,.<,,(l(ll~g li~\1lll.\

~@e~\I

Federal Bureau of Investigation United States Department of Justice Washington, DC 20535

William H. Webster, Director

The Attorney General has delermlned that the publication of this periodical Is necessary in the transaction of the public business required by law of the Department of Justice. Use; of funds for printing this periodical has been approved by the Director of the Office of Management and Budget through June 6, 1988.

ISSN 0014-5688

Published by the Office of Congressional and Public Affairs, William M. Baker, Assistant Director

Editor-Thomas J. Deakin Assistant Editor-Kathryn E. Sulewski Art Director-Kevin J. Mulholland Writer/Editor-Karen McCarron Production Manager-Jeffrey L. Summers Reprints-Regena E. Archey

USPS 383-310

j !

t.

.,

, ;

-~ - ~ ------~

Criminal Cgdes and Ciphers Whatpo They Mean?

Cryptology, the study of secret writings, covers a broad spectrum of human activity. As long as man has been able to read and write, he has wanted or needed to keep some of these writings secret. Whatever can be written can be encrypted, abbrevi­ated, over simplified, or just plain mangled. However, the services of a cryptanalyst may be required to deter­mine the meaning of these writings.

The FBI Laboratory examines such puzzles, ranging from highly so­phisticated cipher systems to docu­ments containing "meaningless" cryp­tic notations. Laboratory personnel apply the principles of cryptanalysis not only to clandestine business records related to gambling but also to suspected criminal documents from prostitution, loansharking, and drug cases. These specialized examina­tions are a blend of cryptanalysis and analysis based on specific knowledge of different illicit business transac­tions.

ExamInation of Criminal Documents Most "bookie codes" are simple

substitution codes. The bookmaker disguises the true meaning of his records by simply substituting an ab­breviation, symbol, and/or shortened form of the word or words. For exam­ple, a horse bookmaker may record wagers placed on different horse races at New York's Aqueduct Race­track by merely using the horse's numbers, race numbers, and the letter "A." The notation "3A7 2 JD" would

By JACQUELINE TASCHNER

Cryptanalyst and

ARTHUR R. EBERHART Special Agent

Laboratory Division Federal Bureau of Investigation

Washington, DC

represent a $2 wager made by John Doe on Horse #7 running in the third race at Aqueduct. (See fig. 1.)

Sports bookmakers often record sports wagers using the team num­bers printed in different sports publi­cations. For example, the notation "14-500" seen in figure 2 means a $500 bet was placed on the Philadel­phia Stars.

Bookmakers have also relied on a very old "masonic cipher" to dis­guise important information as unintel­ligible symbols. This system uses two tic-tac-toe diagrams and two "X" pat­terns to represent the letters of the al­phabet:

*m W

When a bookie enciphers the name "Harry Smith" using this system, it ap­pears as:

n J r: r. <: . V!J r> rt HARRY SMITH

While an investigator may be baf­fled by these symbols, a trained crypt­analyst could decipher it with little effort.

Besides these simple substitution ciphers, gambling jargon, which itself is a form of code, can be decrypted by a cryptanalyst. Solving these simple codes is based on the common characteristics of gambling records, fundamentals of cryptanalytic procedure, and the use of reference materials, SL.th as the Daily Racing Form and sports schedules.

Concealing bettors' and other bookmakers' telephone numbers has long been a major concern of illegal bookmakers. If most of the telephone numbers are from the same town having a single telephone prefix, de­leting the first two digits of the tele­phone number may be enough to fool the untrained eye of the investigator. For example, Harry Smith's telephone number, 752-0321, in Wel/stown will be recorded as "20321." The book­maker knows that aI/ the Wel/stown prefixes are 752.

A more complex telephone number cryptosystem uses an additive (a series of numbers added to one or aI/ of the digits in the telephone number). For example, a series of 1 's

18/ FBI Law Enforcement Bulletin ________________________________ _

/! ;

"As long as man has been able to read and write, he has wanted or needed to keep some of these writings secret."

Agure 1 Horse race bets

3 A"1 d-

MS 4 B3 4-+ 5 B I JJ.J..

1 &9 )( X~

® can be add.ed to the telephone number given for Harry, making the notation in an address book "Harry 863-1432." However, that number could be nonexistent, and the investi­gator would not easily associate this phony number with the true bettor, Harry Smith, without the help of a cryptanalyst.

The telephone itself provides a simple substitution system which the bookie can use to record telephone numbers. One of three letters printed above a digit may be used to repre-

John Doe (Bettod

T~er r race at Aqueduct Irorse '7 $2.00 to win

Mary' Smitn (Bettor}

wffiers 4 race at Bowie Irorse 1I3 $4.00 to win, $4.00 to place

5th race at Bowie Horse 11 $2.00 to win, place and show

7th race at Bowie Irorse t9 $2.00 to show

(no win or place betsl

$16.00 total wager

sent that particular number. However, since "1" and "0" have no such des­ignations, the letters "Q" and "Z," re­spectively, are used as cipher equiva­lents for these digits. (See fig. 3.) This system provides variants which help disguise the substitution process. Thus, Harry's telephone number, 752-0321, would be recorded as "PJA­ZECQ."

A more-sophisticated telephone number encryption system uses a 10-letter keyword having no repeated let­ters. One letter is substituted for each

digit from 1 through O. Using the key­word "CUMBERLAND," the bookie will encipher Harry's telephone number as "LEUDMUC:"

Keyword Digits

CUM8ERLAND 123 4 5 678 9 0

752-0321 Harry's true telephone number

LEU DMUC Encrypted number found in the bookie's notes

The cryptanalytic attack on records containing such enciphered telephone numbers involves identify­ing the 10 letters, LEUDMC plus ABNR (developed through other tele-

Agura2

D,:[:~'>X'~ I I I I I D::[~:.-·~'- I I I 1 D::I~~'~'- I I I I

Monday. April 16

D::I~~'~'- I I I I D::I~~"'- I I I I 1

__ __________________________________________________________________________ Janua~1985/19

-------_." «««<>

..

I

~ \

~

Figure 3 Telephone dial and letter equivalents

(Q) MC DEl? 1 2 3

GHI JKL .MNO 4 5 6

PRS TUV WXY 7 8 9

czl 0

phone numbers). These 10 letters are then anagrammed (rearranging the letters to form a readable word or words) by pairing letter combinations frequently used in the English lan­guage, such as ER and AND. Through trial and error, the cryptanalyst will anagram the correct keyword. Proof of the accurac~ of the keyword comes from the criss-cross directory 1 and local telephone books.

Examination of Drug-related Records

Keyword systems for telephone numbers are not limited to illegal gam­bling operations. In a drug-related rnoney laundering scheme, investiga­tors sent telephone address books containing strange notations to the FBI Laboratory for analysis. The docu­ments were suspected of containing telephone numbers of individuals in­volved in the operation. Subsequent examination determined the letters of the keyword, MONEYT ALKS, were used to represent the digits 1 through O. The decryption provided valuable investigative leads useful in breaking up this operation.

A more-complex substitution system was used in a drug case in

20 I FBI Law Enforcement Bulletin

Harry-s telephone number:

752-0321

Encrypted numbers:

PICA ZFCQ RJB ZEBQ SLC ZDAQ P.:TA ZDAQ, etc.

which a chemist tried to disguise the records of his clandestine phencycli­dine (PCP) laboratory. When Drug En­forcement Agency agents raided the laboratory, they located notebooks containing page after page of one­and two-digit numbers. (See fig. 4.)

From the decryption, a chart could be constructed showing the re­lationship between the numerical cipher text equivalents and the plain text letters. This substitution chart was: 1 3 11 19 37 55 87 4 12 203B 56 BB ABCDEFGH IJKLM

21 39 57 89 22 40 72 23 41 73 24 42 74 N 0 paR STU V W x y z

With this information, the cipher is readable, but the analysis was only partially completed. The reconstruc­tion of the key (used to remember the system) was then required. Analysis of the substitution numbers revealed a pattern when the numbers were re­grouped as follows:

1 3 4

11 12 19 20 21 22 23 24 37 38 39 40 41 42 55 56 57 72 73 74 8788 89

Figure 4 Portion of evidence seized in PCP laboratory

:C1.ii "'.;J'~.J' l'.oI, u.J1.n,!I,"O '" I,.U," ~.p..n nl .• CI.l

.sf,I.l • .sl.Jl • ..u,t.1,1',lol,oll..Jl @)II." G§>n.51. eEl·

'I,ll,!" @l .. ,so 9 u _" @

.aI, 4 •• J',4 ® ..... @)n,5lo @

II, <1~,II,n.J'.4.Jl."'4.I...U.J,,~IIJ' @II .... ~U,g §

n.llj ol l f® il

JJ,1.Z·.",Jf.oU. 8"-" 9" ... @ ...

J, .u.,J'. n,J', J,J1 •• u.1't.JJ.olI,Jl <9 ".fOb 8 u.5L Gl ",'1 @Il @'r @

..t1 .... ,III~ @ '1 - -if, fl, ,",0, J'~ e £1 @ If @

1,11,41. f.1. • .! •• .a.I,Jl 6>"'''' e ll, .. @*, J,Jl.~, 1", Jl,:I!Jl _~ _~~_ II::'!. § ~_ ~~_~

With these types of patterns, the cryptanalyst must focus on the case to determine why they occur. Since this was a drug case involving a chemist, chemistry or chemicals would be a good starting point. With a little research into basic chemistry, the pattern was found to resemble the structure of the standard Periodic Table of Elements. The "atomic num­bers" of the elements in the first column are the same as the first seven equivalents in the cipher alpha­bet:

Atomic Number

Letter 1 3 11 19 37 55 87 ABCDEFG

The atomic numbers for the first six columns of the periodic table were used as the key for the ciphers. (See fig. 5.) A periodic table hanging on the wall by the chemist's workbench sup­ported this hypothesis.

Even so, examination of this ma­terial had yet to be completed. The decrypted notebooks contained de­tailed records concerning the scope andrinancial picture of the illegal PCP manufacturing operation. These docu­ments revealed:

--------~------------------------------- ---------

r--; ! -{ f I I 1

1 j" I

1

\

I )-

I

I II II

1.1 'j

I'

I i

Ii U

1) The various chemicals used to make PCP,

2) The actual q!Jantities of each chemical needed per batch,

3) Notations indicating that one batch of PCP was made per week,

4) The current inventory of chemicals,

5) Calculations of how long the supply of each chemical would last,

6) What chemicals were "on order" and from which chemical suppliers,

7) Dates that chemical orders were sent and anticipated delivery dates,

8) A cost breakdown per batch of PCP (by individual chemical price),

9) Notations for "rent" ($100) and the chemist's "minimum salary" ($1,000), and

10) Profit calculations per batch, based on a minimum sale price of $800 per lb.

The periodic table of the elements FigureS RepresentatJv~ Etem6nts

These financial records were also compared to other accounting records found during the investigation. The common notations were traced through three separate accounts, indi­cating a conspiracy.

As can be seen, a orug importer or dealer disguises the true meaning of his records in the same way as a bookie-by simply substituting an ab­breviation, symbol, and/or shortened form of a word or words. The record of a drug sale usually would not con­tain the clearly incriminating message, "One kilogram of cocaine sold to John Doe for $58,500 on January 1, 1983." The record might more com­monly be written "1 k JD 58.5 1/1."

Cryptanalysts are able to derive a wealth of information from the jottings of a drug dealer or trafficker. They can tell what kinds of drugs are in­volved in the operation. the extent of the operation (the quantity of drugs in­volved, the number of people in­volved, and the amount of profit ob­tained), possible evidence of a, con-

Representative Elements

!

~ He ~l Transition Elements ~'B lVB VB VIB VIIB 2 • IIA

LI Be

1/ \ B C N 0 F Ne

3 4 5 6 7 6 • .0

Na Mg VIII AI 51 P 5 CI Ar

• " .2 iliA IVA VA VIA VilA I , IB liB .3 14 '5 I. 17 .8

K C. Sc TI V Cr Mn Fe Co NI CU Zn Ga Ge As Se Bt Kr

I. 20 2. 22 23 2' 25 26 27 28 29 30 3. 32 3J 34 35 36

Rb 5r V Zr Nb Mo Tc Ru Rh Pd Ag Cd In Sn 5b Te I Xe

37 313 3. 40 4. 42 43 .. 45 46 47 48 4. 50 5' 52 53 54

Cs B. HI T. W R. o. Ir PI Au Hg TI Pb Bi Po A. Rn

55 51; 57- 72 i 73 74 75 76 17 76 79 80 6' 82 63 .. ~-~ Fr R. t 67 e~ 89- .0< .05

Inner Transition Elements

La Ce Pr Nd Pm Sm Eu Gd Tb Dy Ho Er Tm Vb Lu

57 58 59 60 6. 82 63 64 65 66 67 68 60 70 7.

t Ae Th Pa U Np Pu Am Cm Bk ct E. Fm Md No Lr

89 90 9. 92 93 .. 95 96 97 98 99 .00 '0' 102 .03

spiracy, and other information that may be useful to the investigator.

Prosecutors also benefit from this information as well. In one case, a man accused of dealing heroin claimed he was only a user. When the transaction records were suhmitted to the FBI Laboratory for examination, the cryptanalyst determined that the accused had bought over 7,000 "bin­dies" of heroin, worth almost $500,000, in just a 6-month period. Thus, the cryptanalyst's testimony in court was helpful in successfully pros­ecuting the men as a dealer, not a mere user.

Sometimes ledgers and records cannot be identified as drug-related because they are incomplete or sparse. For example, three encrypted ledger pages were sent to the FBI for examination. The ledgers contained a simple substitution cipher, where the digits in the ledger were replaced by symbols in the following manner:

·i4cx~+mr; 1 2 3 4 5 6 7 8 9 0

While the cryptanalyst was not able to say that the records were the type found in a cocaine-trafficking oper­ation, subsequent testimony revealed the clandestine nature of the records and the criminal intent (by conceal­ment) of the defendant.

There is not always a one-to-one relatio::1ship between the symbols or letters in a ledger and the digits they represent. Sometimes, a character can represent a specific amount. For example, figure 6 shows a piece of paper seized in a prostitution investi­gation. When decrypted, the following equivalents were found:

A X + 0 0 I 50 20 15 10 5 1

JBnuary 1985 I 21

~ - .. --

II

U

The remaining records were analyzed to determine the scope of the busi­ness, the number of employees, their roles, and the gross and net reve­nues. The "490" shows the amount of money earned by "Karen," half of which was given to the "house." From the $245 Karen earned that day, $15 was paid to rent the room, a no­tation that consistently appeared in the records.

Occasionally, mysterious nota­tions are completely innocent. When investigating a theft of valuable an­tiques, police found the following strange notation on the front door of

22 I FBI Law Enforcement Bulletin

the house adjacent to the burglary lo­cation:

HFIOIR ATMHCE OPLOLS ETC-TI ISN$G6 50

Some clever paperboy almost became implicated in the crime. How­ever, when deciphered by rearranging the letters, the note read: HI I AM COLLECTING FOR THE POST-IS $650 (sic). This is a variation of the "rail fence" cipher, so named be­cause the plain text resembles the slats of an old rail fence when com­pletely written out.

Conclusion

Investigative personnel are en­couraged to consult with a cryptana­lyst regarding dubious records or doc­uments. Cryptanalysts do more than work on the conspicuous, unintelligi­ble jottings of a criminal. Major con­spiracy networks, like all organiza­tions, depend on communications. Be­cause of the illegal nature of the work, the correspondence may be dis­guised by a cipher system, and the cryptanalyst could help an investigator to get the full value of evidence ob­tained.

Because of the unique nature of the examinations and services provid­ed by the FBI Laboratory and the vari­ety of evidence which may be en­countered, it may be appropriate to contact the Laboratory to resolve any questions which arise by writing:

Director, FBI Attn: Laboratory Division

Document Section Washington, DC 20535

The services of the FBI Laborato­ry are available to all Federal agen­cies, U.S. attorneys, and military tribu­nals in both criminal and civil matters. These services are also available to all duly constituted State, county, and municipal law enforcement agencies in criminal investigative matters. Expert witnesses are also available to testify in judicial proceedings.

PBI

Footnote

A criss-cross directory Is a book which Usts Infonnation on published telephone subscriptions. The directory Is often organized In three parts: By telephone number, subscriber, and address. These three sections can easily be cross-referenced to yield other Investigative Information.

---------

~ \

;

I} tj

\

"---"'"

o \